Fix direct HTTP status sanitizer fallback
This commit is contained in:
parent
41e9ca219f
commit
8b37e7ea1e
@ -291,9 +291,11 @@ bool http_set_cookie_header_valid(String header)
|
||||
|
||||
String http_status_line_clean(String status_line)
|
||||
{
|
||||
if(status_line.find('\r') != String::npos || status_line.find('\n') != String::npos)
|
||||
return("Status: 500 Internal Server Error");
|
||||
return(status_line);
|
||||
if(status_line.find('\r') == String::npos && status_line.find('\n') == String::npos)
|
||||
return(status_line);
|
||||
if(str_starts_with(status_line, "HTTP/"))
|
||||
return("HTTP/1.1 500 Internal Server Error");
|
||||
return("Status: 500 Internal Server Error");
|
||||
}
|
||||
|
||||
namespace {
|
||||
|
||||
@ -58,6 +58,9 @@ def register(registry):
|
||||
location = response.headers.get("Location", "")
|
||||
if "\r" in location or "\n" in location:
|
||||
raise TestFailure("Location header contains raw CR/LF")
|
||||
status, direct_headers, direct_body = _direct_http_request("/site/tests/security_headers.uce")
|
||||
if status >= 500 and "security header sanitizer test" not in direct_body:
|
||||
raise TestFailure("direct HTTP sanitizer test did not render successfully; status=%s" % status)
|
||||
return "CRLF response header injection was sanitized"
|
||||
|
||||
def unknown_session_id_is_not_adopted(context):
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user